In the Alerts Grouping screen, you can configure how alerts are grouped into cases.
This screen also allows you to define the Alerts Overflow configuration. The default configuration is more than 50 alerts in 10 minutes. Alerts Overflow mechanism was designed to prevent system overflow, when lots of alerts from the same environment, product and rule are occurring in a short period of time.
Once triggered, an Overflow case will be added to the case queue, with one alert indicating the environment, product and rule of the overflowing alert, and an Overflow tag.
|Max. alerts grouped into a Case||Define the maximum number of alerts to group together into one Case.|
|Grouping Type||Choose between Entities or SourceGroupingIdentifier (relevant for alerts coming from QRadar Connector – identifier called “offense”.)|
|Timeframe for grouping alerts (in hours)||Choose the number of preceding hours with which to group the alerts for the Case.|
|Match Entities||Source Only, Destination Only or Both directions.|
|Timeframe for grouping alerts (in hours)||Choose the number of preceding hours with which to group the overflow alerts for the Case.|
|Max. alerts grouped into a Case||Define the maximum number of overflow alerts to group together into one Case.|
Need more help with this?
Click here to open a Support ticket